Windows update changes Group Policy Security Filtering (MS16-072)

With the 14. June 2016 patches, Microsoft released a Windows update that changes how Security Filtering is processed for Group Policies, and this change may cause group policies to fail on company computers.

To solve the potential issue, follow the instructions below and ensure to apply one of the recommended resolution steps.

MS16-072: Security update for Group Policy: June 14, 2016

Symptoms

All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

Cause

Before MS16-072 is installed, user group policies were retrieved by using the user’s security context.

After MS16-072 is installed, user group policies are retrieved by using the computer’s security context.

Issues may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group, or if you are using security filtering and are missing the Read permissions for the Domain Computers group.

Recommended resolution

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of these steps:

Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).

If you are using custom security filtering, add the Domain Computers group with Read permission to each policy.

The Domain Computers group is by default part of the Authenticated Users group, and you only need to add Domain Computers to the GPO with Read permissions, if you want to avoid Authenticated Users having Read permission to some Group Policy Objects.

To solve issues related to the MS16-072, it is not required to also grant the the “Apply group policy” permission to Authenticated Users group, as this may completely change the target of the policy settings.

To get an overview of your environment, the following cmdlet can be used to generate a report for all Group Policies in the current domain:

Get-GPOReport -All -ReportType Html -Path C:\TEMP\GPOReportsAll.html

Search for errors: “Reason Denied: Inaccessible, Empty or Disabled”

UPDATE

To get an overview of the affected policies, Ian Farr “PoSh Chap” from Microsoft’s Global Business Support group, have created a PowerShell script that queries all GPO’s and output colored warnings for the policies where the Security Filtering must be adjusted to avoid issues related to the MS16-072 update.

Besides the Red output, that relates to policies requiring a change of their Security Filtering (refer to the resolution steps above in this post), the PowerShell script also displays these three types of INFORMATION output:

Yellow – the GPO does not have an Authenticated Users permission, but does contain a Domain Computers permission

Yellow – the GPO has an Authenticated Users permission that is not “GpoApply” (Read / Apply) or “GpoRead” (Read)